Stuxnet worm was first reported in June 2010 and was credited with several exploits, including sabotaging the Iranian nuclear reactors and possibly even causing the malfunction of the INSAT-4B communication satellite. Now, more than one year on, security experts think that they have stumbled upon a worm that is being described as the precursor to the next Stuxnet and potentially written by the same people who wrote the Stuxnet, or at least by someone who had access to the source code of the Stuxnet worm.

Named Duqu, the worm was first reported by the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary on 1st September 2011. The name given to the worm came about due to the “~DQ” prefix that was given to the files it created on the system that it infected. Further analysis by Internet security firm Symantec revealed that the worm may have been in the wild since November 2010 and has so far infected computers in eight countries, including India, and potentially four more.

Just like Stuxnet, Duqu makes use of a 0-day vulnerability against Microsoft to exploit the operating system and install the components of the worm stealthy and just like Stuxnet, it also installs a driver with a valid digital signature, the digital certificate used for this seem to have been stolen from a company in Taiwan.

However the similarities do not carry over to the suspected intention of the worms. It is now accepted that Stuxnet was written with the intention of compromising industrial control and monitoring systems, often called Supervisory Control and Data Acquisition (SCADA) systems and specifically targeted at the Iranian atomic program, while it is believed that Duqu does not contain any code related to industrial control systems and is primarily a malware designed to give the attacker complete control over the compromised machine remotely, often termed a Remote Access Trojan (RAT). It is also believed to install malwares that records keystrokes and collect other system information from the compromised machine. The attackers were most probably looking for information that could be used in a future attack, hence the description of Duqu being a “precursor to the next Stuxnet.” It does make one wonder as to what we may have missed that was the real precursor to the Stuxnet worm.

Other than the fact that machines in India have been infected with the Duqu virus, there is another curious connection to the Indian cyberspace. Malwares like Duqu use external Command and Control (C&C) servers as a means for the attackers to remotely control the malware, for example to download new executable onto the infected machine, exfiltrate sensitive information from them, update the malware itself and sometimes even to destroy or deactivate it. One of the only three C&C server identified for Duqu was hosted on the IP address 206.183.111.97. This IP address and the virtual private server (VPS) that it belonged to was being hosted by Web Werks, a Mumbai-based hosting company. According to the company, the VPS belonged to a client in Milan, Italy and because it was a system that was being managed by the client itself, Web Werks did not have any control over what was running in it.

According to reports, officials from the Indian Computer Emergency Response Team (CERT-In) have obtained an image of the VPS before taking it offline. Interestingly, there is no mention of the operation anywhere on CERT-In’s website and officials have refused to comment on the development as it pertains to ongoing investigation.

Getting hold of the C&C servers however doesn’t seem to have done the investigators a whole lot of good though. Recent reports from Symantec indicate that all the three C&C servers, including the one hosted at Web Werks have been setup to forward all the traffic from the worm to other servers, making the discovery of the final endpoint of the C&C chain hard to pinpoint.

The last few year have seen a drastic uptick in the incidents related to cyber crime and the case of Stuxnet and Duqu have shown us that the new generation of malware are being continually honed for purposes that go beyond pranks, notoriety or money.

Minister of State for Communications & Information Technology has provided the official version of the impact of Stuxnet on critical infrastructures in India. In a reply to a written question in Rajya Sabha on 11th March, he provided the information that:

Some computer systems in India were also infected by the Stuxnet, but none of the infections have so far been reported in sensitive Industrial systems.

He then goes on to explain the steps being taken to tackle the problem of virus and protection of sensitive installations in the country, which includes the use of alerts and advisories being produced by CERT-In and workshops being conducted by it. With such a mandate one would assume CERT-In is on the top of things at least when it comes to issuing advisories. Not so! They issued the advisory on Stuxnet on July 23rd 2010, long after Virusblokada reported W32.Stuxnet (June 17), Microsoft issued the advisory 2286198 (July 16) and after Siemens report that it is investigating reports that the malware is infecting the SCADA systems (July 19). With such a lag in issuing the advisory, it would be hard to give CERT-In any credit for the reported absence of Stuxnet in “sensitive Industrial systems”.

As usual these official press releases opens up more questions. For one, where exactly were the computer systems that were infected by Stuxnet found? This is second to the more intriguing question – what is with the title of the press release – “Protection of Sensitive Installations from but ‘Free Virus’”?

Imagine a deadly computer virus makes its way around a well-guarded, critical industrial complex—say a nuclear plant—sabotaging its operations by sending bad commands to the centrifuge controller. “Storyline of a B-grade Hollywood movie,” you might say. The Stuxnet worm, a piece of malicious software or malware, whose origins are yet unknown, is designed to do such things.

(…)

Jeffrey Carr, a noted authority on cyber security, suggested in a blog post published by Forbes that the glitch experienced by India’s INSAT-4B communication satellite on July 7th could be the handiwork of the Stuxnet worm. The glitch, attributed to a power supply anomaly in one of its two solar panels led to the shutdown of 12 of the 24 transponders on the satellite. Carr bases his hypothesis, partially at least, on the fact that the Indian Space Research Organisation (ISRO) is a Siemens customer and that two former engineers’ resumes seem to suggest that Siemens PLC and WinCC software were used by ISRO’s Liquid Propulsion Systems Centre.